Details
-
New Feature
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
-
None
-
Jenkins version: 2.190.3
Keycloak plugin version: 2.3.0
Description
We would like to login using AD group membership. We've synced our groups in Keycloak and then added a mapper to the Jenkins client in Keycloak using the "Keycloak config" here
Authorization fails unless user is added to Project Matrix permissions rather than group. "<user> is missing the Overall/Read permission".
This plugin gives nowhere to add a "Token Claim Name" defined in our Keycloak mapper. Am I right that this plugin lacks ability to login by virtue of group membership? If so this is a feature request.
http://<jenkins_url>/whoAmI/ doesn't show any group memberships, but not sure if it should.
Attachments
Activity
Brendan Holmes
added a comment - Thanks dseynaeve , I'll try custom token mapper to "roles". 
I think I have a similar setup with keycloak federating a freeipa server.
I managed to get this working by adding a custom token mapper to my client in keycloak that remaps Group membership as "roles" in the access token (screenshot attached),
since it turns out that this plugin is hardcoding "roles" as the attribute to define jenkins group membership: https://github.com/jenkinsci/keycloak-plugin/blob/e3bec1d828e54dcffe0312547aa7f9571b263169/src/main/java/org/jenkinsci/plugins/KeycloakAuthentication.java#L59
Ideally the attribute for group membership should be configurable and this seems easy enough to add.